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Intellectual Property Rights 



IPRs essential or potentially essential to the present document may have been declared to ETSI. The information 
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found 
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in 
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web 
server (http://www.etsi.org/ipr ). 

Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee 
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web 
server) which are, or may be, or may become, essential to the present document. 



Foreword 

This Technical Specification (TS) has been produced by ETSI Technical Committee Security (SEC). 
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Background 



The Directive of the European Parliament and of the Council on a Community framework for electronic signatures 
(1999/93/EC) [1] defines requirements on a specific type of certificates named "Qualified Certificates". These 
certificates are given a specific relevance for acceptance of electronic signatures through the following part of article 5 
(Legal effects of electronic signatures). 

Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are 
created by a secure-signature-creation device: 

a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a 
handwritten signature satisfies those requirements in relation to paper-based data; and 

b) are admissible as evidence in legal proceedings. 

The Directive [1] defines a qualified certificate in article 2 as: 

""Qualified certificate" means a certificate which meets the requirements laid down in Annex I and is provided by 
a certification-service-provider who fulfils the requirements laid down in annex 11". 



1 Scope 



The present document defines a technical format for Qualified Certificates that can be used by issuers of Qualified 
Certificates to comply with annex I and II of the Directive [ 1 ] . 

This profile is based on the Qualified Certificate profile standard RFC 3039 [4]. 



2 References 

The following documents contain provisions which, through reference in this text, constitute provisions of the present 
document. 

• References are either specific (identified by date of publication and/or edition number or version number) or 
non-specific. 

• For a specific reference, subsequent revisions do not apply. 

• For a non-specific reference, the latest version applies. 

[1] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a 

Community framework for electronic signatures. 

[2] ITU-T Recommendation X.509 (1997) I ISO/IEC 9594-8: "Information technology - Open 

Systems Interconnection - The directory: Public-key and attribute certificate frameworks". 

[3] RFC 2459: "Internet X.509 Public Key Infrastructure Certificate and CRL Profile". 

[4] RFC 3039: "Internet X.509 Public Key Infrastructure Quahfied Certificates Profile". 

[5] ISO/IEC 8824-1 (1998) I ITU-T Recommendation X.680 (1997): "Information technology - 

Abstract Syntax Notation One (ASN.l): Specification of basic notation". 

[6] ISO/IEC 8824-2 (1998) I ITU-T Recommendation X.681 (1997): "Information technology - 

Abstract Syntax Notation One (ASN.l): Information object specification". 

[7] ISO/IEC 8824-3 (1998) I ITU-T Recommendation X.682 (1997): "Information technology - 

Abstract Syntax Notation One (ASN.l): Constraint specification". 

[8] ISO/IEC 8824-4 (1998) I ITU-T Recommendation X.683 (1997): "Information technology - 

Abstract Syntax Notation One (ASN.l): Parameterization of ASN.l specifications". 
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Document structure 



The normative and informative parts of the present document are provided according to the following document 
structure: 

• clause 4 contains the core part of the present document, defining the amendments to RFC 3039 [4]; 

• annex A provide a general information how the requirements of annex I of the directive can be implemented 
using tools defined in the present document as well as tools in the underlying standards RFC 2459 [3] and ITU-T 
Recommendation X.509 [2]; 

• annex B contains the ASN.l ([5], [6], [7], [8]) modules of the present document. 



Certificate profile 



Certificates according to the present document SHALL comply with the IETF Qualified Certificate ftofile 
RFC 3039 [4] with the amendments specified in this clause. 

In case of discrepancies between the present document and RFC 3039 [4], the present document is the normative one. 

4.1 Issuer field 

The name of the issuer contained in the issuer field (as defined in clause 3.1.1 in RFC 3039 [4]) MUST contain a 
country name stored in the countryName attribute. The specified country SHALL be the country in which the issuer of 
the certificate is established. 

4.2 Qualified Certificate Statements 

This profile defines a number of individual statements for use with the private extension for Qualified Certificates 
Statements "qCStatements extension", defined in RFC 3039 [4]. 

When this extension is marked critical, this means that all statements included in the extension are regarded as critical. 

The following statements are defined in this profile: 

• statement claiming that the certificates is issued as a Qualified certificate; 

• statement regarding limits on the value of transactions for which the certificate can be used; 

• statement indicating the duration of the retention period during which registration information is archived. 

4.2.1 Statement claiming tiiat tine certificates is a Qualified certificate 

The indication that a certificate is issued as a Qualified Certificate is provided according to the present document either: 

1) when one of the certificate policies identified in the Certificate Policies extensions, as defined in clause 4.2. 1.5 
from RFC 2459 [3], clearly express that the issuer intentionally has issued the certificate as a Qualified 
Certificate and that the issuer claims compliance with annex I and annex II of the directive; or 

2) when the Qualified Certificate Statements extension includes a statement, as defined in this clause. 
NOTE: Combination of both techniques is not necessary, but permitted. 

The optional statement defined in this clause contains: 

• An Identifier of the statement (represented by an OID), stating that the certificate is issued according to the 
EU-directive [1], as implemented in the country under which law the issuer is operating. 

esi4-qcStatement-l QC-STATEMENT ::= { IDENTIFIED 
BY id-etsi-qcs-QcCompliance } 
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— This statement is a statement by the issuer that this 

— certificate is issued as a Qualified certificate according 

— Annex I and II of the Directive 1999/93/EC of the European Parliament 

— and of the Council of 13 December 1999 on a Community framework 

— for electronic signatures, as implemented in the law of the country 

— specified in the issuer field of this certificate. 

id-etsi-qcs-QcCompliance OBJECT IDENTIFIER ::= { id-etsi-qcs 1 } 

4.2.2 Statement regarding limits on tine value of transactions 

The limits on the value of transactions, for which the certificate can be used, if applicable, may be indicated using the 
statement defined in this clause. 

This optional statement contains: 

• an identifier of this statement (represented by an OID); 

• a monetary value expressing the limit on the value of transactions. 

esi4-qcStatement-2 QC-STATEMENT ::= { SYNTAX QcEuLimitValue IDENTIFIED 

BY id-etsi-qcs-QcLimitValue } 

-- This statement is a statement by the issuer which impose a 

-- limitation on the value of transaction for which this certificate 

-- can be used to the specified amount (MonetaryValue) , according to 

— the Directive 1999/93/EC of the European Parliament and of the 
-- Council of 13 December 1999 on a Community framework for 

— electronic signatures, as implemented in the law of the country 

— specified in the issuer field of this certificate. 

QcEuLimitValue ::^ MonetaryValue 

MonetaryValue: := SEQUENCE { 

currency INTEGER (1..999), — per ISO 4217 
amount INTEGER, 

exponent INTEGER} 
-- value ^ amount * lO^exponent 

id-etsi-qcs-QcLimitValue OBJECT IDENTIFIER ::= { id-etsi-qcs 2 } 

4.2.3 Statement indicating the duration of the retention period of material 
information 

Reliance on qualified certificates may depend on the existence of external information retained by the CA. A significant 
aspect is that the Directive [1] allows name forms in certificates, such as pseudonyms, which may require assistance 
from the CA or a relevant name registration authority, in order to identify the associated physical person in case of a 
dispute. 

This optional statement contains: 

• an identifier of this statement (represented by an OID); 

• a retention period for material information relevant to the use of and reliance on the certificate, expressed as a 
number of years after the expiry date of the certificate. 

esi4-qcStatement-3 QC-STATEMENT ::= { SYNTAX QcEuRetentionPeriod IDENTIFIED 
BY id-etsi-qcs-QcRetentionPeriod } 

This statement is a statement by which the issuer guarantees 

— that for the certificate where this statement appears that 

— material information relevant to use of and reliance on the certificate 

— will be archived and can be made available upon 

— request beyond the end of the validity period of the certificate 

— for the number of years as indicated in this statement. 

QcEuRetentionPeriod : := INTEGER 
id-etsi-qcs-QcRetentionPeriod OBJECT IDENTIFIER : := { id-etsi-qcs 3 } 
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Annex A (informative): 
Relationship with the Directive 



This annex describes how requirements from the directive are addressed by the current document and referenced 
standards. 



A.1 Annex I of the directive 



Requirement from Annex 1 in tlie Directive [1] 


Implementation according to this profile and 
underlying standards 


(a) an indication tliat tlie certificate is issued as a qualified 
certificate; 


Inclusion of certificate policy defining this property or 
by inclusion of an explicit statement defining this 
property as defined in clause 4.2.1 


(b) tlie identification of tlie certification-service-provider and 
the State in wliicli it is establislied; 


By information stored in the issuer field as defined in 
clause 3.1 .1 of the IETF Qualified Certificate Profile 
[4]. 

The certificate must clearly indicate the country in 
which the issuer is established as defined in 
clause 4.1. 


(c) tine name of tlie signatory or a pseudonym, wliicli sliall 
be identified as sucli; 


As defined in clause 3.1 .2 of the IETF Qualified 
Certificate Profile [4]. 


(d) provision for a specific attribute of tlie signatory to be 
included if relevant, depending on the purpose for which 
the certificate is intended; 


As defined in clauses 3.1.2 and 3.2.1 of the IETF 
Qualified Certificate Profile [4]. 


(e) signature-verification data which correspond to 
signature-creation data under the control of the 
signatory; 


The public key with the associated information listed 
in this annex. 


(f) an indication of the beginning and end of the period of 
validity of the certificate; 


The validity period according to X.509 and RFC 2459. 


(g) the identity code of the certificate; 


The serial number of the certificate according to 
X.509 and RFC 2459. 


(h) the advanced electronic signature of the certification- 
service-provider issuing it; 


The digital signature of the issuer according to X.509 
and RFC 2459. 


(i) limitations on the scope of use of the certificate, if 
applicable; and 


Provided by information in the certificate Policies 
extension, the Key Usage Extension and the 
Extended Key Usage Extension according to X.509 
[2] and RFC 2459 [3]. 


(j) limits on the value of transactions for which the 
certificate can be used, if applicable. 


According to clause 4.2.2 of the present document. 
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A.2 Annex II of the directive 



Annex II contains "requirements for certification-service-providers issuing qualified certificates", which generally don't 
impact certificate format. Some specific functions of qualified certificates, as listed below, may however be used to 
support some of these requirements. 



Requirement from Annex II in tlie Directive [1] 


Supporting meclianisms 


Requirement b) includes requirement on a secure and 
immediate revocation service. 


The certificate extensions CRL distribution point and 
authority information access may contain information 
used to find and identify these services. 


Requirement i) includes requirement on retention of 
relevant information for an appropriate period of time. 


Clause 4.2.3 defines a statement that can be used to 
communicate the retention period to relying parties. 


Requirement k) states that relevant part of the terms and 
conditions regarding the use of the certificate shall be 
made available on request to third-parties relying on the 
certificate. 


A certificate policy identified in the certificate policies 
extension may contain a qualifier of the type "CPSuri" 
pointing to the location where such information can be 
obtained. 
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Annex B (normative): 
ASN.1 declarations 



ETSIQCprof ile { itu-t(O) identif ied-organization ( 4 ) etsi(O) id-qc-prof ile ( 18 62 ) id-mod(O) id-mod-qc- 
prof ile (1) } 

DEFINITIONS EXPLICIT TAGS : : = 

BEGIN 

— EXPORTS All — 

IMPORTS 

QC-STATEMENT, qcStatement-1 

FROM PKIXqualified93 {iso(l) identif ied-organization ( 3) dod(6) 
internet(l) security(5) mechanisms ( 5) pkix(7) id-mod(O) 
id-mod-qualif ied-cert-93 (11) } ; 

— statements 



esi4-qcStatement-l QC-STATEMENT : :- { IDENTIFIED 

BY id-etsi-qcs-QcCompliance } 

This statement is a statement by the issuer that this 

certificate is issued as a Qualified certificate according 

Annex I and II of the Directive 1999/93/EC of the European Parliament 

and of the Council of 13 December 1999 on a Community framework 

for electronic signatures, as implemented in the law of the country 

— specified in the issuer field of this certificate. 

esi4-qcStatement-2 QC-STATEMENT ::- { SYNTAX QcEuLimitValue IDENTIFIED 
BY id-etsi-qcs-QcLimitValue } 

This statement is a statement by the issuer which impose a 
-- limitation on the value of transaction for which this certificate 

— can be used to the specified amount (MonetaryValue) , according to 

— the Directive 1999/93/EC of the European Parliament and of the 
-- Council of 13 December 1999 on a Community framework for 

— electronic signatures, as implemented in the law of the country 
-- specified in the issuer field of this certificate. 



QcEuLimitValue 



Monetary Value 



MonetaryValue : :^ 
currency 

amount 
exponent 



SEQUENCE { 

INTEGER (1 . . ^ 

INTEGER, 

INTEGER} 



value ^ amount * lO'^exponent 



per ISO 4217 



{ SYNTAX QcEuRetentionPeriod IDENTIFIED 



esi4-qcStatement-3 QC-STATEMENT 
BY id-etsi-qcs-QcRetentionPeriod } 

This statement is a statement by which the issuer guarantees 
-- that for the certificate where this extension appears that the 

— information received from the subscriber at the time of 

— registration will be archived and can be made available upon 

— request beyond the end of the validity period of the certificate 

— for the number of years as indicated in this statement. 



QcEuRetentionPeriod 



INTEGER 



-- object identifiers 
id-etsi-qcs 



OBJECT IDENTIFIER 



id-etsi-qcs-QcCompliance OBJECT IDENTIFIER 

id-etsi-qcs-QcLimitValue OBJECT IDENTIFIER 

id-etsi-qcs-QcRetentionPeriod OBJECT IDENTIFIER 

-- supported statements 



:^ { itu-t (0) identif ied-organization (4) etsi (0) 
id-qc-profile (18 62) qc- statement (1) } 

^ { id-etsi-qcs 1 } 
^ { id-etsi-qcs 2 } 
^ { id-etsi-qcs 3 } 



SupportedStatements QC-STATEMENT : := { 
qcStatement-1 | 
esi4-qcStatement-l | esi4-qcStatement-2 | esi4-qcStatement-3, 



. . .} 



END 
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